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1. Introduction 

1.1. Overview 

IBM MaaS360 On-Premises Mobile Enterprise Gateway (MEG) provides simple, seamless and secure access to 
behind-the-firewall information resources to your mobile users. This access can be enabled for your mobile 
population without requiring you to implement a new VPN-like technology. IBM MaaS360 provides great user 
experience and usability benefits, including: 

• Seamless logon 

• Credential caching 

• One-time logon across multiple applications 

• Single sign-on to protected intranet resources that are protected by strong authentication schemes 
like NTLM, Kerberos, SPENGO and Identity Certificates 

MEG is part of the IBM MaaS360 Cloud Extender. 

MEG provides maximum security by authenticating users and devices based on Corporate Directory 
credentials and IBM MaaS360 Enrollment Identity Certificates thereby satisfying the two-factor 
authentication requirements for intranet resources. The solution ensures that all communication between 
mobile devices and MEG is fully encrypted and secured end-to-end, preventing man-in-the middle attacks. 

All data on the Mobile Device is stored in the IBM MaaS360 container, fully encrypted and protected from 
data leaks, and is protected by IBM MaaS360 container security policies depending on your security 
requirements. 

Additional security benefits include the following: 

• Seamless background re-authentication of users and devices without prompting end users for 
credentials 

• Authentication token requirements for every intranet resource 

• Proxy access list validation on the gateway 

These benefits come without compromising a great user experience, which is typically not the case with 
VPN-based solutions. 

Tight integration with the IBM MaaS360 console helps define lockout policies and provides the ability to 
revoke access to the gateway based on automated compliance rules. 

MEG helps your organization mobilize corporate resources to your ever-growing mobile population while still 
maintaining control over the data flow and associated data security. 

1 .2. What’s new in MEG 2.0? 

• Seamless integration with IBM MaaS360, with easy configuration 

• Integration with the Cloud Extender module 

• Strong gateway authentication schemes 

• Cross Forest/Cross Domain authentication 

• Support for SSO for MEG across multiple apps on a device 

• Support for Kerberos/SPENGO and NTLM v2 authentication against sites 
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• Internal Proxy support for sites 

• Granular proxy access list 

• Seamless High Availability (HA) configuration 

• High-scaling up to 100k devices 

• Regional Gateway Cluster support and automatic local gateway routing 

• Streaming scenarios-large files and videos 

• WebDAV support for Windows File Shares 

1.3. Gateway Mode 

MEG operates in Direct Access mode-devices talk directly to it for resource access. 

MEG can also be installed as a standalone gateway for smaller deployments, or as a clustered gateway for 
HA, but it will always be in Direct Access mode. 

This document describes the MEG architecture for Direct Access mode for standalone and High Availability 
installations, and provided detailed instruction on how to implement the solution in your environment. 

Note: Relay Access mode is currently not supported for IBM MaaS360 On Premises. 

Note: To enable MEG for your installation, please contact IBM Support. 
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2. System Requirements 


Before beginning the installation, make sure the following requirements are met: 


Item 

Meets 

Requirements 

Physical or Virtual Machine with Windows Server 2012, 2008 RC2, or 2008 as an installation target 
for the IBM MaaS360 Mobile Enterprise Gateway. 


A Service Account that MEG can run as: 

• A member of the Domain User group on your Active Directory 

• A member of the Local Administrator group on the server 


Memory: 4 GB 


Processor: Dual Core 


CPU: 2.8Ghz 


Disk space: 2GB 


Access to the following URL from the MEG machine: 

• Port 443 outbound used by the gateway to communicate with IBM MaaS360 Backend and 
Web Services. 

• IBM MaaS360 Backend 

• Service URL for the IBM MaaS360 On Premises instance 


Supported clients: 

• iOS 6.0 and higher 

• Android 4.2 or later (carrier versions) 
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3. Direct Access Mode 

3.1. Architecture 

Traffic through MEG proceeds between the Internet, your corporate network and IBM MaaS360 as follows: 

1 . Gateway Provisioning Services (part of the IBM MaaS360 Cloud Extender) registers with IBM MaaS360 On 
Premises. 

2. The IBM MaaS360 app on the device fetches MEG details. 

3. The app connects to MEG. 

4. The app requests intranet access from IBM MaaS360 On Premises. 

5. IBM MaaS360 On Premises compares the user’s credentials with the Active Directory/LDAP credentials 


• The IBM MaaS360 app for iOS and Android, IBM MaaS360 Secure Browser and any Enterprise App 
wrapped within IBM MaaS360 or integrated the IBM MaaS360 SDK will be able to communicate with 
MEG. 

• The apps connect directly to the gateway for intranet resource access. 

• Access is via HTTPS if an SSL certificate is used 

• In addition to the SSL connections to the Gateway, the payloads themselves are encrypted with AES- 
256-bit encryption end-to-end between the app and the Gateway 
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and grants access if they match. 

6. The user can access corporate resources with the device. 

7. Information from the content repositories can be sent to the device. 
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3.2. Architecture Components 


MEG has two components, the Client and the Gateway. 


3.2.1. Client 
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• Corporate data is protected within the context of the IBM MaaS360 app container with enforcing 
policies. 

3.2.2. Gateway 

• Windows-based server software that runs on a physical host machine or Virtual Machine (VM) on your 
organization’s internal network or DMZ. 

• It is packaged along with the Cloud Extender as a module. 

• Your network needs to allow inbound traffic to the Gateway server. The port can be configured. 

• The gateway receives intranet access requests from the mobile devices, fetches the resource and 
posts the resulting payloads back to the mobile devices. 

• These payloads are encrypted end-to-end with AES-256 bit encryption. The key is shared only 
with the device. 

• MEG authenticates users against Active Directory/ LDAP servers. 

• Supports Single Sign-On (SSO) for upstream sites that challenge for NTLM, Kerberos, SPNEGO and 
Identity Certificate-based authentication. 
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4. MEG Installation and Basic Set Up 

4.1. MEG Installation 


To install MEG, perform the following steps: 

1 . Log in to IBM MaaS360 and browse to the Services page (Setup>Services.) 

2. The Enterprise Gateway feature should have a checkmark. 


Note: If this has not been enabled, please contact your Fiberlink representative. 


a a 


} E nter prise Ga tewny ] 

Enterprise Gateway shows users to access various Corporate servers (Intranet, Windows Files ha re H Share Point) from their mobile devices, legs... 


Available relays to use: APAC-SGP Relay r EU-UK Relay , 


1. Download and Install Cloud Extender, Click hero to get your license key, 

2 . Define the list of Allowed Intranet Sites In YYorkplace Persons ftss' Policies. Assign Gatewayfs) to use also via policies. 

3. Setup Windows file Shares and Internal SbarePoint sites for distribution to devices 


3. Download the Cloud Extender using the download link from Step 1 in the portal. Select Click here to 
send your license key to your registered email address. (MEG is part of the Cloud Extender.) 


4.1.1. Complete the Cloud Extender Installation Process 

To install the Cloud Extender, perform the following steps: 

1 . On the Welcome screen, click Next. 
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2. Click Next to install the files into the default folder. 


j’Ji Cloud Extender - InstallShield Wizard 


Destination Folder 

Click Next to install to this f older f or click Change to install to a different folder. 


\E\ 



Install Cloud Extender to: 

C:\Prograrm Files (x86)\MaaS360\Cloud Extended 


Change... 


InstallShield 





< Back 

Next > | 

Cancel 





3. Enter the license key and click Next. 
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4. When the installation has completed, click Finish. 



Once the Cloud Extender installation completes, the Cloud Extender Configuration Tool launches 
automatically. 

4.1.2. Configure the Outbound Proxy Settings for the Cloud Extender 

If you use a proxy server for outbound access, configure proxy settings on this screen. 

Cloud Extender uses these settings to reach out to IBM MaaS360 backend services for overall configuration 
and management. 

Cloud Extender supports: 

• Manual Proxy: Enter the hostname/ IP and port 

• Proxy PAC URL: URL to a PAC file hosted in your environment 

• Auto Proxy: PAC file is typically hosted in your DHCP or DNS server as Web Proxy Auto-Discovery 
Protocol (WPAD) file 

• No Proxy: If your network allows direct outbound connection 

If your proxy requires authentication, select the Use Proxy Authentication checkbox and configure a 
service account credential that can be used to authenticate and traverse through the proxy. 

Note: This proxy setting is only used for outbound connections from the Cloud. 
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■ 



Check for Internet connectivity: 


| English 


g Internet access available. Click "NeHt" to continue. 

<• Do not use proxy 
C Manually configure proxy settings 
C Proxy PAC URL 
C Auto Proxy 

I” Use Proxy Authentication 


4.1.3. Set Up the Gateway Authentication Mode 

To set up the Gateway Authentication Mode, perform the following steps: 

1 . On the list of available services, check Enterprise Gateway option. 

The Gateway module might take a few minutes to download after the Cloud Extender installation. If the 
Enterprise Gateway option is missing, close the configuration tool and reopen it in a couple of minutes. 


Q The Cloud Extender is running 


< Back | Next > | Cancel 


13 




by Fiberlink, an IBM company 


2. Choose the Directory Type used for User Authentication, 
a. For Active Directory: 

j. Select Active Directory and then click Next: 


V Exchange ActiveSync Manager 

V Exchange Integration for New Email notifications (for Workplace) 

V Lotus Traveler Manager 

V BlackBerry Enterprise Server Integration 

V User Authentication 
r User Visibility 

V Certificates Integration 
W Enterprise Gateway 

Select Directory Type to Use for User Authentication 
(• Active Directory 

PowerShell version 2.0 or greeter must be installed on this server to continue. 

C LDAP 

Supported LDAPs: Active Directory, OpenLDAP, Novell eDirectory, Oracle 
Directory Server,IBM Domino LDAP 


ii. Enter the Service Account’s Username, Password and Domain (See System Requirements ). 
Click Next to receive the success message. 


iii. Click OK to dismiss the success message, and then click Next to go to Test Authentication. 



Select the Services to be configured: 



Q The Cloud Extender is running 


< Back | Next > | Cancel 



Configure 

I Service Account 

Enterprise Gateway 

Cloud Extender Status 

Cloud Extender Auto Updates 


Configure Service Account: 


Enter the service account credentials to allow the Cloud Extender to access 
and integrate with your Active Directory Instance. For details refer to the 
installation guide. 


Password 


Username 



Domain 



W Enable Secure Authentication Mode 


The Cloud Extender is running 


< Back | Nexl > | Cancel 
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b. If your Directory Type is LDAP: 

Select LDAP as the Enterprise Gateway 


Cloud Extender Configuration Tool 


Cloud Extender Configuration Tool 


Select the Services to be configured: 

V Exchange ActiveSync Manager 

V Exchange Integration for New Email notifications (for Workplace) 
r Lotus Traveler Manager 

V BlackBerry Enterprise Server Integration 
r User Authentication 

V User Visibility 

V Certificates Integration 
W Enterprise Gateway 


irntxi 

3 


Select Directory Type to Use for User Authentication 
C Active Directory 

PowerShell version 2.0 or greater must be installed on this server to continue. 

<* fUDA P] 

Supported LDAPs: Active Directory, OpenLDAP, Novell eDirectory, Oracle 
Directory Server,IBM Domino LDAP 


Ei The Cloud Extender is r 


ii. On the Configure LDAP Integration screen, click Edit, enter the appropriate settings and 
then scroll down for the next group of settings: 
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iii. Enter the following settings and click Next: 



# 

Configuration Setting 

Description 

1 

LDAP Server Name & Port 

FQDN name of your LDAP server and port 

2 

Authentication Type 

Basic or Digest 

3 

Bind Username & Password 

Service account credentials 

4 

LDAP Search Base 

Your search root on your LDAP 

5 

User Search Attribute 

The name of the attribute that identifies the user in your 
LDAP server (like samAccountName in Active Directory) 

6 

Filter by Groups 

Does not apply for LDAP authentication 
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iv. When you have entered your changes, you will receive a success message. Click OK to 
dismiss the message. You can scroll down to read the values and then click Next. 



4.1.4. Test Authentication 

After the Gateway has been set up and credentials have been saved, you can test authentication against 
your Directory using the Test Authentication and Test Reachability workflows: 
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5. MEG Configuration in Standalone Mode 


If you plan to set up your gateways in an HA cluster, skip to Gateway Configuration in HA mode . 

Note: If a gateway has already been configured as standalone, you cannot switch the gateway mode to HA. 

5.1 . Configure MEG as Standalone in Direct Mode 

To configure MEG as a standalone gateway in Direct mode, enter the settings as shown below. When 
finished, click Next to move to the next screen. 



Enterprise Gateway 


Configure 

Service Account 
Q LDAP integration 
Enterprise Gateway 
| | Cloud Extender Status 

Cloud Extender Auto Updates 


Configuration Mode 
f* Standalone 

C High Availability - Setup a new Gateway cluster 
r High Availability - Join an existing Gateway cluster 


Gateway Details 


Gateway Name 


|MaaS360 Gateway 

C Relay <• Direct 


Gateway Mode 


I - Use Web Server/Load Balancer in front of the Gateway 


Gateway External URL 
(including port) 



| http s ://m a a s_g ate way 

Http/Https URL for Gateway direct access 


Gateway Server Port 


|44? 


Local port on which the gateway will listen for 
requests. 


d 


Q The Cloud Extender is running 


< Back | Next > | Cancel 
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You may want to use a web server or load balancer in front of the Gateway. If so, enter the following 
settings: 




# 

Configuration Setting 

Description 

1 

Configuration Mode 

Gateway can be configured as a standalone instance or a High 
Availability cluster. Select Standalone. 

2 

Gateway Name 

Enter any Gateway Name. This is the name that appears in all IBM 
MaaS360 portal workflows. 

3 

Gateway Mode 

Select Direct. 

4 

Use Web Server / Load Balancer 
in front of the Gateway 

If selected, you will be required to configure your load balancer to: 

• Accept traffic from inbound traffic from Mobile Devices 

• Forward this traffic to the Gateway server 

5 

Gateway External URL (including 
port) 

If a load balancer is used in front of the gateway, the Gateway URL 
will be the External URL (hostname) of your load balancer. 

If load balancer is not used, the Gateway URL will be the hostname of 
this gateway server. 

This external URL should include the port, if it is different from the 
standard ports for HTTP or HTTPS. 
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6 Gateway Server Port 


Gateway server port is the port on which gateway server will run and 


listen for requests. 

If a load balancer is used, then ensure that load balancer redirects 
traffic to this Gateway port. 

If load balancer is not used, the Gateway port will be any open port on 
this gateway server. 


SSL Certificate Private 
Key 


I” Accept all Untrusted Certificates 

Selecting this option will cause the Gateway to ignore any certificate exceptions 
while Arre^inn infernal resource*. Tfit recommended not to select rhi* notion. 


5.2. SSL Configuration 


To set up your SSL configuration, enter the settings as shown below, and scroll down. 



S 



Configure 

Service Account 


Enterprise Gateway 

I Use Web Server/Load Balancer in front of the Cateviay 




Q LDAP integration 


Gateway External URL 
(including port) 


|http s ://m a a $_g ateway_$ e rve r_h o st 

Http/Https URL for Gateway direct access 


Enterprise Gateway 


Gateway Server Port 



| | Cloud Extender Status 


Local port on which the gateway will listen for 
requests. 


Cloud Extender Auto Updates 


Use SSL 


SSL Certificate 


Browse 


SSL Certificate needs to be issued by a Public 
Certificate Authority. Self-signed Certificate is 
not supported. 



Q The Cloud Extender is running 


Next > | Cancel 


Enter this group of settings, and then click Next. 
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# 

Configuration Setting 

Description 

7 

Use SSL 

Use SSL encryption on top of the AES 256-bit end-to-end encryption to 
further secure communication between the mobile device and the 
gateway. This is optional-not using SSL will not compromise the 
security of MEG. 

• If you do not use a load balancer, then the SSL Certificate (see 
below) is used by the mobile device to initiate an SSL session to 
the gateway. 

• If you use a load balancer, then the SSL Certificate (see below) 
is used by your load balancer to initiate an SSL session to the 
gateway. 

o Traffic between the mobile device and your load 
balancer can be secured by your load balancer SSL 
certificate. Please refer to your vendor documentation 
for details. 

8 

SSL Certificate 

Path to the SSL certificate (.pern) file. 

If a load balancer is not used, the SSL will terminate on your gateway. 

In this case, you are required to get an SSL certificate from a public 
Certificate Authority (CA) and not use self-signed certificates. 

9 

SSL Certificate Private Key 

Private key of the SSL certificate (.key) file. 

10 

Accept all Untrusted Certificates 

By selecting this option, the gateway will ignore any certificate 
exceptions from intranet resources. For example, if your intranet site 
has a self-signed certificate, accessing this site will throw a certificate 
exception. With this option, the exception is ignored and the request 
is served by the gateway. 

It is recommended not to check this option. You should install the site 
SSL certificates to the Certificate store of the Gateway server. 
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6. Gateway Configuration in HA Mode 

If you have already set up your gateway in standalone mode, skip this section and continue to Gateway 
Authentication, WebDAV & Internal Proxy settings . 

6. 1 . Why Clustered Gateways? 

MEG gateways, when set up in clustered a High Availability (HA) configuration, all run in Active-Active 
mode-all gateways are active and handling requests. Even if one gateway server goes down, the other ones 
in the cluster can handle the traffic and prevent an outage. It is always recommended to run your gateways 
in HA mode. 

One gateway server can handle 10,000 devices, serving up to 200 devices per second with average response 
size of 50KB. If you plan to make this service available to more than 10,000 devices, you should use 
additional gateways. 


Sample scaling recommendations: 


# 

Device Counts 

Scaling recommendation 

1 

Non -HA gateway < 10000 devices 

1 gateway is sufficient. 
No HA is possible. 

2 

HA gateway < 10,000 

2 gateways running in clustered mode. 

Even if one gateway can handle the load, it is recommended to spin up 
another instance. 

3 

HA gateway > 10,000 and < 
20,000 

3 gateways running in clustered mode. 

In case of outage for one of the gateways, the other 2 gateways will be 
able to handle the load. 

4 

For every 10,000 device 
increments 

1 gateway per 10,000 devices, plus 1 clustered gateway for handling 
outage loads. 

For example, 50,000 devices would require 6 gateways. 


6.2. Clustered Mode Architectures 

6.2.1. Direct Architecture in Clustered Mode 

• In Direct Clustered mode, all gateways talk to a shared database. 

• You must implement a load balancer in your network to actively balance incoming traffic among 
active gateways 

• You may need to set up SSL certificates for device-to-load balancer SSL communication. 

• You may set up SSL certificates for traffic between load-balancer and gateway. This is optional and 
the data packets between them are anyways encrypted, even over HTTP. 

Traffic through MEG proceeds between the Internet, your corporate network and IBM MaaS360 as follows: 

1 . Gateway Provisioning Services (part of the IBM MaaS360 Cloud Extender) registers with IBM MaaS360 On 
Premises. 
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2. The IBM MaaS360 app on the device fetches MEG details. 

3. The app connects to MEG. 

4. The app requests intranet access from IBM MaaS360 On Premises. 

5. IBM MaaS360 On Premises compares the user’s credentials with the Active Directory/ LDAP credentials 
and grants access if they match. 

6. The user can access corporate resources with the device. 

7. Information from the content repositories can be sent to the device. 


6.3. Database Preparation 

Because an HA setup for MEG requires a shared database among active gateways to share configuration and 
authentication information, you must set up a database on your database server. 

MEG supports the following database servers: 

• Microsoft SQL 2008 or higher 

• MySQL 5.6.22+ 

• DB2 10.5.500.107 

6.3.1. Database Integration Requirements 

• Identify and set up the database server that the gateways can integrate with. The hostname and port 
of the database server are required for integration. 

• Create a blank database within the database server. The database name is required for integration. 

• Either a local SQL server account or a Windows NT account for database access. 


Internet 


Corporate Network 


MaaS360 




App fetches 
gateway details 



o 

o 

0 

4 — 


App connects to 
the gateway 



o 


Gateway 

registration 


Intranet Access 
Request 


Gateway 


Load 

Balancer 


Provisioning 

Services 


Response to 
Mobile Device 


0 


User Authentication 
& Authorization 


0 


Intranet 

Access 


Corporate Resources 


Intranet Websites 


Active 

Directory/ 

LDAP 


SharePoint 


Windows File Shares 


• Require create table and read and write permissions on the database. 

• Once the gateway service starts, it automatically creates the database tables required for 


functioning of the gateway. 
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6.3.2. Sizing Requirements 

• The recommended database size is 10KB per device. 

• If your environment also has Kerberos authentication for your websites, then the database size will 
increase significantly depending on the Kerberos token size and the number of websites that use 
Kerberos authentication. For sizing, assume 50KB per site per user. 

6.4. Configure MEG as HA in Direct Mode 

1 . On the first configuration screen, enter the settings as described below: 




# 

Configuration Setting 

Description 

1 

Configuration Mode 

The gateway can be configured as a standalone instance or a High 
Availability cluster. Select High Availability - Setup a new Gateway cluster. 

2 

Gateway Cluster Name 

Enter any gateway name. This is the name that appears in all IBM MaaS360 
portal workflows. 

3 

Gateway Mode 

Select Direct. 

4 

Use Web Server/ Load 
Balancer in front of the 
Gateway 

Select the checkbox. 

You will be required to configure your load balancer to: 

• Accept inbound traffic from mobile devices 

• Forward this traffic to the Gateway server 
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5 

Gateway External URL 
(including port) 

If a load balancer is used in front of the gateway, the Gateway URL will be 
the External URL (hostname) of your Load Balancer. 



If it is not used, the Gateway URL will be the hostname of the gateway 
server. 



The external URL should include the port, if it is different from the standard 
ports for HTTP or HTTPS. 

6 

Gateway Server Port 

Gateway server port is the port on which the gateway server will run and 
listen for requests. 



If a load balancer is used, then ensure that it redirects traffic to this port. 

If it is not used, the Gateway port will be any open port on this gateway 
server. 


2. Scroll down to enter the next group of settings: 



Configure 

Service Account 

1 

Enterprise Gateway 

W Use Web Senrer/Load Balancer in front of the Gateway 

A 

^ LDAP integration 


(in^dinVport'r' URL |https://mycorp_load_balancer 

Http/Https URLfor Gateway direct access 


Enterprise Gateway 


Gateway Server Port 


Cloud Extender Status 


Local port on which the gateway will listen for 
requests, 


Cloud Extender Auto Updates 


Use SSL f7 

— 



SSL Certificate | Browse ( 




SSL Certificate needs to be issued by a Public 
Certificate Authority. Self-signed Certificate is 
not supported. 




SSL Certificate Private 1 Browse 1 

Key 1 1 




1 Accept all Untnisted Certificates 

Selecting this option will cause the Gateway to ignore any certificate exceptions 

A 




The Cloud Extender is running 


< Back 


Next > 


Cancel 
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# 

Configuration Setting 

Description 

7 

Use SSL 

Use SSL encryption on top of the AES 256-bit end-to-end encryption to 
further secure communication between the mobile device and the 
gateway. This is optional-not using SSL will not compromise the security of 
the MEG. 

• The SSL Certificate (see below) is used by your load balancer to 
initiate an SSL session to the gateway. 

o Traffic between the mobile device and your load balancer 
can be secured by your load balancer SSL certificate. 

Please refer to your vendor documentation for details. 

8 

SSL Certificate 

Path to the SSL certificate (.pern) file. 

9 

SSL Certificate Private Key 

Private key of the SSL certificate (.key) file. 

10 

Accept all Untrusted Certificates 

If you select this checkbox, the gateway will ignore any certificate 
exceptions from intranet resources. For example, if your intranet site has a 
self-signed certificate, then accessing this site will throw a certificate 
exception. With this option, the exception is ignored and the request is 
served by the gateway. 

It is recommended that you not select this option. Install the site SSL 
certificates to the Certificate store of the Gateway server instead. 

11 

Database Setup 

See Database Setup for different database configurations. 


6.5. Database Set Up 

Continue scrolling down to access the next settings. 

To connect the gateways to the shared database, you will need the following details: 

• Hostname/ IP address and port for your database server 

• Database Name for Mobile Enterprise Gateway 

• Service account credentials-either local or Windows NT credentials. 

Here are some screens that show the configuration settings. 

6.5.1. MySQL Database Configuration 

Scroll down to enter the Database Type, Database Connection String and the authentication details. 
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6.5.2. Microsoft SQL Database Configuration 

There are two choices: Active Directory and LDAP. 

For Active Directory mode, select the Service Account checkbox in the left pane and enter the Database 
Type, Database Connection String, and the authentication details. 



For LDAP mode, select the LDAP integration checkbox in the left pane and enter the Database Type, 
Database Connection String, and the authentication details. 
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6.5.3. DB2 Configuration 

Continue scrolling down to enter the next group of settings. 


9 Cloud Extender Configuration Tool 


Cloud Extender Configuration Tool 



Configure 

I . Service Account 
Q LDAP integration 
[ j Enterprise Gateway 
I j Cloud Extender Status 
| Cloud Extender Auto Updates 


Enterprise Gateway 

Shared Database for High Availability 
Database Type 
Database Connection String 
Username 


|dB2 ^ 

| j d b|c: d b 2 ://{H 0 ST} : {PO RT}/{D B_N AM E 


r 


Test Database Connection 


Authentication Details 


Users required to 
authenticate every 


[io - 


Supported value: 

r 


Re-use user's credentials 
for internal resources that 
require Basic or Digest 




The Cloud Extender is r 


< Back 


# 

Configuration Setting 

Description 

1 

Database Type 

MySQL/Microsoft SQL Server/DB2 - select one depending on your database 
type. 
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2 

Database Connection String 

The database connection string gets automatically populated on the 
gateway depending on the Database Type selection. 

Replace the {HOST}, {IP_ADDR}, {PORT} and {DB_NAME} with actual values 
from Database Integration Requirements. The connection strings are as 
follows: 

MySQL: jdbca:mariadb://{HOST}:{PORT}/{DBJWIE} 

MS SQL: 

jdbc : sqlserver ://{IP_ADDR} : {PORT};databaseName={DB_IWIE} 

DB2: jdbc : db2 : //{HOST} : {PORT}/{DB_NAME} 

3 

Username/ Password 

Local credentials for Local SQL server login. 

4 

Use Service Account 

Only available in AD authentication mode for MS SQL (not available in 
LDAP). 

The gateway service account should have the required rights on database. 
(See Database Integration Requirements for more information.) 

5 

Test Database Connection 

Tests connection to the database using the specified hostname, port, 
database and service account credentials. Perform a quick test to ensure 
that all settings are configured correctly. 

The Cloud Extender Configuration Tool automatically rechecks for database 
connectivity while saving the gateway configuration. 


6.6. Joining MEG to an Existing Cluster 

Once the first Mobile Enterprise Gateway of the cluster is set up, it generates an encrypted Identity 
Certificate for the cluster configuration and prompts you to save the certificate. 



Enterprise Gateway 


Configure 

Q Service Account 
Enterprise Gateway 
Cloud Extender Status 
Cloud Extender Auto Updates 


Authentication Details 


Users required to 
authenticate every 


ID Certificate 


MaaS360 Gateway Certificate is used to secure end to end 
communication between mobile devices and the gateway 

This certificate is required lot adding new gateways to this 
duster for High Availability setup. 

Click Here to download the Gateway Certificate ( pi 2). 


(days) 


D 


o 90 


rces do not us* us*r's 
selecting this option will 
thontication attempt 
ipted for authentication. 




Route all resource requests 
through a Proxy server. 


Continue | 

r 

Use this option to rout* all requests through 
your Corporate Content filtering solution. 


Q The Cloud Extender is running 


< Back | Nexl> | |_C«Kel_J 
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This certificate is required to join new gateways to this HA cluster. If you do not find this certificate, you 
can always download it again from your first gateway clicking Download Gateway Certificate. 



To add a new gateway to an existing cluster, browse to this Gateway Certificate. All the gateway settings 
are automatically downloaded to the new gateway node. 



If the gateways have been set up in HA mode and you want to change the configuration on one of the nodes, 
you will be prompted to update the gateway configuration on other nodes when you launch the Cloud 
Extender Configuration Tool. 
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You must launch the Cloud Extender Configuration Tool on all other gateways and Select Update 
Configuration on all of them so that all the gateways are in sync. 
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7. Additional Gateway Configuration 

7.1. Authentication Details and WebDAV 
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# 

Configuration Setting 

Description 

1 

Authentication Frequency: 

Users required to 
authenticate every (x) days 

Specify how often the gateway needs to re-authenticate users who are 
connecting to the gateway. Choose any value between 1 and 90 days. 

The recommended authentication frequency is 1 day, with a setting on the 
IBM MaaS360 portal to cache user credentials in the IBM MaaS360 app 
(covered in Secure Browser Configuration). This provides a good user 
experience while meeting security requirements. 

2 

Reuse user’s credentials for 
intranet resources that 
require Basic or Digest 
authentication 

Certain intranet websites that use Basic or Digest authentication might be 
integrated with corporate credentials for authentication, although this is 
not very common. If you have this configuration: 

If the checkbox is selected: 

• If an internal site challenges for Basic or Digest authentication, the 
Gateway provides the user’s credentials it received during gateway 
authentication and passes it back to the site-thereby seamlessly 
signing the user on to the site. 

• If the authentication fails, the challenge for credentials is sent 
back to the user on the IBM MaaS360 app. When the user provides 
credentials, a new authentication is attempted 

• There will be a failed authentication attempt for the user before 
the user gets a chance to authenticate. 

If the checkbox is cleared, all Basic or Digest authentication challenges are 
propagated back to the user to enter manually. 

3 

Enable WebDAV server for 
Network File Share access 

Enable this if you want to enable access to network file shares. 
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7.2. Intranet Proxy Settings 


Scroll down to enter the next group of settings. 



# 

Configuration Setting 

Description 

4 

Route all resource requests 

From the Gateway, if your intranet sites are not directly accessible 


though a Proxy server 

without going through a proxy or you require to proxy all traffic 
through a corporate content filtering platform, use this setting. 

• Manual Proxy: Enter the hostname/ IP and port. 

• Proxy PAC URL: URL to a PAC file hosted in your environment. 

• Auto Proxy: A PAC file is typically hosted in your DHCP or DNS 
server as Web Proxy Auto-Discovery Protocol (WPAD) file. 

• This proxy setting is only used for intranet resources. For more 
information about external proxy settings, see Configure the 
Outbound Proxy Settings for the Cloud Extender. 

5 

Use Proxy Authentication 

If your proxy requires authentication, select the Use Proxy 
Authentication checkbox. For authenticating against the proxy server, 
the gateway uses the credentials of the user who is trying to access the 
resource. 

It is important that all of your users should be able to authenticate 
against this proxy server. 
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Click Next. The gateway makes API calls against the IBM MaaS360 backend and completes the gateway 
registration process. Finish the Cloud Extender Configuration Tool workflow to complete the gateway 
configuration. 
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8. IBM MaaS360 Portal Configuration and Management 


The IBM MaaS360 Secure Browser and IBM MaaS360 Docs applications allow your users to access intranet 
sites through the IBM MaaS360 Mobile Enterprise Gateway. This section provides details on the portal 
configuration to enable this access. 

8. 1 . Secure Browser Configuration 


Secure Browser configuration for intranet website access is all configured with Workplace Persona policies. 

Access the IBM MaaS360 console and open the Workplace Persona policy. Select MaaS360 Gateway Settings 
on the left side of the screen to display the following policy settings: 


Workplace 


g^ Services 



gp Security 
^ Application Timers 



MaaS360 Gateway Settings 


□ Email 


- Configure MaaS3G0 Enterprise Gateway Settings 


Allow caching of Corporate Credentials In the App 

Note: If checked, specified credentials will be locally cached and 
user will not be prompted again till authentication falls. 

Identity Certificate 

Gateway will cache the Identity certificate and present this to the 
Intranet site when challenged 


Enable Corporate Network Detection to skip use of Enterprise 
Gateway 


& 


- Configure Corporate Network Detection 


Corporate Network Server 

Configure one or mare URLs that are accessible only within [reports, meg .oam 

your Corporate network and can be used to detect Corporate 

network. 

Note: Include http/ https as required In the URL specified. 


# 

Policy Setting 

Description 

1 

Allow caching of 
Corporate Credentials in 
the App 

User credentials are saved within the Secure Browser app in its encrypted 
database, and protected overall by container security. 

The browser will re-authenticate against the gateway using these credentials 
without prompting the user to re-enter credentials each time. 

Users are prompted for credentials only when their passwords change and the 
browser fails to authenticate against the gateway. 

2 

Identity Certificate 

Choose the Identity Certificate Template (from your Cloud Extender’s 
Certificate Integration set up). 

This identity certificate can be used by the gateway to authenticate against 
upstream intranet sites that challenge for Identity Certificate credentials for 
authentication. 

3 

Enable Corporate 
Network Detection 

The browser traffic for intranet sites will skip the Gateway route if any 
specified Corporate Network Server is resolvable by the browser. 

Any sites that require identity certificate-based authentication will not work. 
The gateway presents the identity certificate to intranet sites that challenge 
for them, and in the Corporate Network use case the gateway route is 
bypassed. 
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Click Browser on the left side of the screen to expand the options. Select MaaS360 Enterprise Gateway. 



# 

Policy Setting 

Description 

1 

Default Gateway 

Select one of the gateways /gateway clusters you have already 
set up. The gateway name automatically appears on the drop- 
down list. 

All devices associated with this policy will communicate with 
this gateway if no regional gateways have been configured. 

2 

Configure Regional Gateway 

Select the checkbox to route devices to regional 
gateways /gateway clusters based on the geography of the 
device. 

Specify the country list and the regional gateway that the 
devices in that country should communicate with. 

The location (country) of the device is determined by the time 
zone setting on the device and device’s GPS location. 

This feature allows you to manage one persona policy for all 
devices and still achieve location awareness for all devices 
around the globe. 

3 

Access List for Intranet Resources 

Specify domains or IP addresses of intranet sites that should be 
allowed for devices connecting to the gateway. Use wildcards 
for domains like *. companydomain.com (regular expressions). 

It is recommended to restrict this access list to only intranet 
sites and domains and not to proxy traffic to public sites. 
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4 


Exceptions 


If you have your access list set to *.companydomain.com, but 
want certain traffic like email, OWA, etc. to not be proxied via 
the gateway, you can use the exception list. 

Add email.companydomain.com as an exception, and the 
traffic will connect directly to your server on the internet 
without using the gateway. 


8.2. SharePoint/CMIS Configuration 

IBM MaaS360 Secure Document container allows users to access SharePoint/CMIS repositories and view all 
files in a Document View. 

Select to Docs>Content Sources to set it up. Select Add Source >Microsoft SharePoint. 


Add SharePoint Site 


x 


Site Display Name* 

This is what your end user will see. 


My SharePoint 


Site Visibility* 


O Internal 


External 


Select Gateway* MaaS360 Gateway 

Select the Gateway for this File Share 


Configure Regional Gateways 

Enterprise Gateway to use when 
devices are connecting from the 
specified country 

Browser URL * 

Copy this from the browser where you 
access a SharePoint folder. To let users 
add their own SharePoint Sites, provide 
a URL of type 

http://mysharepoint.mydomain.com/* 
(supported on MaaS360 for iOS 2.90+ 
and MaaS360 Android 5.21+). 


□ 


http ://intranet.sharepoint. meg .com/| 


More.. 


Group Access Permissions All Devices [^] [Ilse Workplace Sett O 

"Select group and set permissions. "Use 
Workplace Settings" is supported on 
iOS App 2.40+ and Android App 
5.00+". 


Cancel Save 


# 

Configuration Setting 

Description 

1 

Site Display Name 

The name of the site that your end users will see on their devices. 

2 

Site Visibility 

Select Internal to route the traffic through the gateway. 

Select External if your SharePoint site is publicly hosted and does not require 
gateway access. 

3 

Select Gateway 

Select one of the gateways /gateway clusters you have already set up. The 
gateway name automatically appears on the drop-down list. 

All devices associated with this distribution will communicate with this 
gateway if there are no regional gateways configured. 
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4 

Configure Regional 
Gateway 

Enabling this feature allows you to route devices to regional gateways /gateway 
clusters based on the geography of the device. 

Specify the country and the regional gateway that the devices in that country 
should communicate with. 

The location (country) of the device is determined by the time zone setting on 
the device and device GPS location. 

This feature allows you to manage one distribution for all devices and still 
achieve location awareness for all devices around the globe. 

5 

Browser URL 

URL to your SharePoint site. Access your SharePoint site from your Browser and 
paste the link to the site directly here. 

You will need a new distribute per site. 

6 

Group Access Permissions 

Allows you to distribute the SharePoint site to targeted device along with 
permissions associated with the distribution. 


8.3. Windows File Share 


IBM MaaS360 Secure Document container allows users to access Windows File Shares on their Mobile Devices 
and view all files in a Document View. 


Select Docs>Content Sources. Select Add Source>Windows File. 


Add Windows File Share 


Display Name" 

TTiIb Is what your end user will see. 
Gateway Type 


Select Gateway* 

Select the Gateway for this File Shane 


My User Drive 

Legacy 

Q MaaS36Q Enterprise 


Gateway 

MaaS36Q Gateway 



Configure Regional -Gateways 

Enterprise Gateway to use when 
devices are connecting from the 
specified country 



|select Gauntry 


Select Gateway 


Folder Path 

This Gan be either in the URL format 
{serM , ecname/filp_path } or In the UMC 
naming format 

l\\,server\sh»re\flle_piitb), For e*: 
demose rver. corpdomai n . loca l/sal es/docs 
or \VfemMcrv«r\salss\docs . The 
%usemanie% variatile can be used to 
represent the username provided 
during enrollment. 


Wbbtestmeg 0 1 \% use ma me%\| 


Group Access Permissions All Devices v Use Workplace Sett v 

Select group and sot permissions. "Use- 
Workplace Settings" is supported on 
iOS App 3.4D+ and Android App 
5.Q0+". 


O 


o 


Cancel Save 


# 

Configuration Setting 

Description 

1 

Display Name 

The name of the Windows File Share that your end users will see on their 
devices. 


40 


MaaS360* 

by Fiberlink, an IBM company 


2 

Select Gateway 

Select one of the gateways /gateway clusters you have already set up. The 
gateway name automatically shows up on the drop-down list as long as it has 
Network File Share feature enabled. 

All devices associated with this distribution will communicate with this default 
gateway if there are no regional gateways configured. 

3 

Configure Regional 
Gateway 

Enabling this feature allows you to route devices to regional gateways/gateway 
clusters based on the geography of the device. 

Specify the country and the regional gateway that the devices in that country 
should communicate with. 

The location (country) of the device is determined by the time zone setting on 
the device and device GPS location. 

This feature allows you to manage one distribution for all devices and still achieve 
location awareness for all devices around the globe. 

4 

Folder Path 

UNC path to your Windows File Share (\\server\share\file_path). 

To use this feature, WebDAV needs to be enabled on your gateways. 

%username% variables can be used to distribute user specific file shares if the 
folder names are the same as the IBM MaaS360 usernames. 

5 

Group Access 
Permissions 

Allows you to distribute the file shares to the targeted device along with the 
permissions associated with the distribution. 
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9. Portal Management Workflows 

MaaS360 portal offers a Cloud Extender view that shows your gateway installation. This view also helps 
confirm if your gateway is active, and if it is online. (The Cloud Extender Online indicator appears in the 
top right corner.) 

This view can be accessed by navigating to Setup>Cloud Extender. 

On this screen, you can pick your Gateway server. After the page loads, select Summary>Enterprise 
Gateway. The page shows the following details: 

• Gateway Settings: Name, Mode, WebDAV details and related settings. 

• High Availability details: Mode, Database Type and service accounts. 

• Authentication mode: AD/LDAP and associated authentication settings. 

• Gateway Statistics. 

• Internal Proxy details (if configured). 


Device : WTN-1CVMSD03TJEJ 



-Configuration State; ^ Claud Extender Online; Jjjj 

£3 — Enterprise Gateway '■ ■/ Actions T 




Uaernaurt* 

s License Statu s 

Mm Available 

Lest Reported 

Q4/2Q/2QI5 QBl17 EDT 

AOrve 

Installed Bate 

D4/1W2015 W;'36 EDT 

- Gateway Settings 

Co tew ay name 

i“-naS3M Gateway 

Gateway Mode 

Relay 

La it Ouster Configuration Modified Time 

□4/i6;2aiS 17: is unc 

Last Configuration Modified Date 

M/16/2D1E 17:15 DTC 

delay Server 

NA-UE-East Relay 

Direct URL 


Use a Webserver or S Loa-dba la ncer in Front of 
Gateway 

we 

Local Port on Which Gateway is Running 


Accept All Untrusted Certificates 

Nd 

Enable WcbDav Server for Network File Share 
Access 

Ves 

SSL Enabled 

Mo 



- High A valla blllty Setup 




Configuration node 

Standalone- 

Pots bass Typo for Nigh Availability 


Use Service Account for Database Access 

No 

Database Username 


Database Connection string 


Database Domain 



Scroll down to see all the settings. 



This view also provides a test action to test reachability to intranet sites. 

Select the Actions pull-down menu, and click Test Reachability (Enterprise Gateway). Specify the 
hostname/intranet site and confirm reachability of this site from the gateway. 
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Note: This action is sent directly from IBM MaaS360 portal to the gateway . 
Device : WIN-1CVM8D03TJB 
^ O ^ Enterprise Gateway * £ Actions - 


Cloud Extender Actions 


Configure Cloud Extender Settings 
Refresh Data (Enterprise Gateway) 
m Test Reachability (Enterprise Gateway) 
® Mark as inactive 
x Uninstall Cloud Extender 

Last Cluster Configuration ModifietPfime 04/16/20 15 17:15 UTC 

Relay Server NA- US -East Relay 



Username 
License Status 

- Gateway Settings 

Gateway Name 



Test Reachability 

XI 

Enter the URL 

URL http://reports.meg.coml 

Yes 

No 


MaaS360 also offers a new view of your gateways and clusters. You can access this workflow from 
Setup>Mobile Enterprise Gateway. This consolidated view shows all gateways, their configuration mode, 
and node counts per cluster. 


Mobile Enterprise Gateway 






Cluster Name 

Mode 

Configuration 

Node Count 

Installation Date 

Y Last Modified D... 

MaaS360 Gateway 

View 

RELAY 

Standalone 

1 

04/16/201S 13:15 EOT 

04/16/2015 13:15 EDT 


The detailed view also provides a summary of all the settings from a cluster point of view and details of all 
active nodes. 
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4“ Maa5360 Gateway 




1- Gateway Settings 




Cluster Name 

Maa53SD Gateway 

Configuration 

Standalone 

Mode 

Relay 

Relay Server To Use 

NA-US-East Relay 

Direct URL 


Use a Webserver ar a Load be lancer In front af 
Gateway 

No 

Local Port on which Gateway is running 

0 

Accept all Untrusted Certificates 

NO 

Enable Web Da v Server for Network Fite Share 

DCCC55 

Yes 



(Hi Active Gateway Nodes 

Server Name 

Installed Data 

Last Reported 


WIN-1CVM8DQ3TJB 

04/16/2015 13115 EDT 

04/ 16/2015 1 3:15 EDT 

1- Shared Database for High Availability 




Database Type 


Connection string 


Database Username 





Scroll down to see all the settings. 
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10. Mobile App Configuration 

IBM MaaS360 provides an app for Android and iOS that will allow you to check on the status of the MEG. 

Enroll your iOS or Android device in IBM MaaS360, and assign to it the persona policy that has Secure 
Browser features enabled. 

10.1. iOS Experience 

When you first launch of the browser, you will be prompted for your 
credentials. Once authenticated, you will be able to access your 
intranet sites. 



You can get access to MEG reports. 
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IBM MaaS360 Secure Document Sharing allows you to view and update 
documents distributed from the IBM MaaS360 console and from file 
shares. 



IBM MaaS360 Secure Document Sharing lets you look at the common 
file types, including Word, Excel, PowerPoint and PDF. For details, 
refer to the product documentation. 
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10.2. Android Experience 

When you first launch of the browser, you will be prompted for your 
credentials. Once authenticated, you will be able to access your 
intranet sites. 



You can get access to MEG reports. 


■x K C* & 0 RliHt ? , M 3:40 PM 


< http://mysite.meg.corn:8888/ O 1 ; 
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IBM MaaS360 Secure Document Sharing allows you to view and update 
documents distributed from the IBM MaaS360 console and from file 
shares. 



IBM MaaS360 Secure Document Sharing lets you look at the common file types, including Word, Excel, 
PowerPoint and PDF. For details, refer to the product documentation. 


Q ^ y rn ti „du 3:54 PM 

{ Home Share O Q* 


Last Vear 

§1 


open am HTTP 

fiS.DOB, Modified: IB-Jun-2014 


fo 


B password 

fi.QOB, Modified: 1&-Jun-2QI4 


r G 


o 1 13 m ^ a m m r 3:55 1 


Home Share 


ii 


openam.HTTP 

OB.DOH, Modified: 1B-Jun-2M4 


fo 


password, txt 


Click outside this dialog to continue 
download in background 
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1 1 . Support & Troubleshooting 

Frequently Asked Questions (FAQs) 

All my users are unable to access one intranet site through the IBM MaaS360 Secure Browser. How 
can I fix this? 

1 . Make sure the site in question is a part of the proxy access list in persona policies. 

2. Log on to the server on which the gateway is installed, open a browser and try accessing the intranet 
site. 

3. Try connecting the device to the corporate network-either Wi-Fi or VPN-and see if the site is 
accessible. 

4. If both (1 ) and (2) are not working, the intranet site might have gone down. 

5. Open the browser on the gateway, use developer tools and capture logs while loading the site in 
question. 

6. Gather Gateway logs (using procedure highlighted below) and send it to your IBM MaaS360 contact for 
analysis. 

None of my users are able to access ANY intranet sites through the IBM MaaS360 Secure Browser. 
What should I do? 

1 . Log on to the server on which the gateway is installed, open the Services console and ensure that Cloud 
Extender service is running. If not, start the service. 

2. With a test device, start the Secure Browser app, authenticate (if required) and confirm that you are 
able to access the intranet sites. 

3. If it’s still not working, open the browser on the gateway server and try accessing intranet sites that are 
published. Check to see if there have been any recent firewall/proxy changes in your internal network 
that might be blocking this access. 

4. Gather gateway logs (using the procedure below) and send it to IBM MaaS360 for analysis. 

How can I collect gateway logs? 

1 . Replicate the issue in question and note down the timestamp. 

2. Log on to the server on which the gateway is installed. 

3. Browse to C:\Program Files(x86)\MaaS360\Cloud Extender folder. 

4. Double click on DiagnosticCmd.exe. The tool runs and collects all relevant logs for the gateway and 
places a zip file on your Desktop. 

5. Send this zip folder to IBM Support along with detailed description and the timestamp when the issue 
was replicated. Please provide your account number with the logs. 

How can I collect IBM MaaS360 Secure Browser logs? 

1 . Replicate the issue in question using the Secure Browser and note the timestamp. 

2. In iOS, open the IBM MaaS360 Secure Browser. Click on the 3 dots after the address bar, select Settings 
>> Email Logs. This will launch your email client (native/secure) with a new email and logs as 
attachments. 

3. In Android, open MaaS360 App, navigate to Settings >> Email Logs. On the Secure Browser Settings 
menu, there is an option to enable verbose logging as well, in case of assisted troubleshooting. 
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Where can I find the log files on the Mobile Enterprise Gateway 

Navigate to the C:\ProgramData\MaaS360\Cloud ExtenderNlogs folder: 

• MobileGateway.log contains all activities of the gateway 

• MobileGatewayAuth.log has all authentication attempts 

• MobileGatewayAccess.log has details of all the intranet resources accessed by end users 

• MobileGatewayWebResAuth.log contains all authentication attempts against intranet resources 

How can I check the version of the IBM MaaS360 Secure Browser installed on my device? 

• In iOS, go to Settings> Browser. The Version field displays the version of the browser. 

• In Android, go to Settings> Application Manager>Browser to access the version. 
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12. Appendix A: Cross-Forest and Cross-Domain Authentication 

IBM MaaS360 Mobile Enterprise Gateway requires users to authenticate against Corporate Directory Services 
before letting them access intranet resources. It integrates with both Active Directory and LDAP servers to 
achieve this form of authentication. 

With respect to Active Directory integration for user authentication, the gateway needs to be configured as 
a Service Account that is a Domain User for a particular domain. The gateway, by default, can only 
authenticate users belonging to that particular domain within the forest. 

We have run into multiple Active Directory environments that have multiple domains in a forest and 
multiple such forests. All these forests and domains trust each other. 

Mobile Enterprise Gateway implementation for Active Directory User Authentication can be extended to 
integrate with multi-domain/multi-forest environments. 

This section explains how you can achieve this integration. 

12.1. Active Directory Structure Example 

There are 2 forests and 3 domains, all trusting one another. 



When you enable User Authentication for Active Directory, the default implementation only authenticates 
users within the context of the service account domain. To extend the authentication scope to all forests 
and domain, you will need to perform a few additional steps as shown in the next section. 
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12.2. Setting Up Cross-Forest/Cross-Domain Authentication 

A few registry key additions/modifications are needed in order for the gateway to support multi 
domain/forest authentication. This must be done manually because the keys may already exist. 

1 . Open Registry Editor (regedit.exe) on the Cloud Extender server. 

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fiberlink\V360. 

3. Create a new string value in the V360 key: 

a. ADD REG POLICY GROUP=UA PLC 



Note: If this already exists, append UA_PLC to the list separated by a semi colon (;) 

4. Create a new key under V360 named UA_PLC : 

• HKEY_L0CAL_MACHINE\S0FTWARE\Wow6432Node\ Fiber link\V360\UA_PLC 

a Fiberlink 
| a - Jl V360 

UA.PLC 


5. Create two new string values under UA_PLC : 

• FQDNMapFilePath=C : \ProgramData\MaaS360\Cloud Extender\AR\Data\FQDNMap.txt 

• SearchAllForests=Y 
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6. Create a FQDNMap.txt file using any text editor: 

a. The mapping file is a text file that contains one entry per line of text for each domain: 

i. As shown in the example above, the file contents should look like the examples below (with 
the short domain on the left side of the = sign and the FQDN on the right) 

ii. It is very important to map both combinations 

shortDomainName = FQDN 
FQDN = FQDN 

domainA = domainA.rootDomainl.mycorp.com 
domainB = domainB.rootDomainl.mycorp.com 
domainC = domainC.rootDomain2.mycorp.com 

domainA.rootDomainl.mycorp.com = domainA.rootDomainl.mycorp.com 
domainB.rootDomainl.mycorp.com = domainB.rootDomainl.mycorp.com 
domainC.rootDomain2.mycorp.com = domainC.rootDomain2.mycorp.com 

Note: Each line in the file must be terminated with either a <CRLF> (the DOS line-ending convention) or a 
<LF> (UNIX line-ending convention) 

7. Save the file as FQDNMap . txt . 

8. Copy the FQDN map file FQDNMap.txt to C:\ProgramData\MaaS360\Cloud Extender\AR\Data\. 

9. Restart the Cloud Extender Service. 

Note: If multiple Gateways are implemented in an HA fashion, please implement the same steps on all 
gateways implementing User Authentication Service. 
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